Accepting Social Identities: Integration With SAML and Deployment

Wednesday, February 13, 2013 – 3 p.m. ET Steve Carmody, Brown University Paul Caskey, University of Texas System Dedra Chamberlin Renee Shuey, Penn State, Host and Moderator

IAM Online is brought to you by Internet2’s InCommon in cooperation with!the EDUCAUSE Identity and Access Management Working Group

Thank you to InCommon Affiliates for helping to make IAM Online possible.

•  We’re used to working with identities vetted and issued by other campuses"

•  But, we already work with people from outside those communities"

•  Applicants"•  Parents"•  Continuing Ed/MOOCs"

•  Other areas now showing interest in working with people from outside of Higher Ed"

•  Courses – additional speakers from the community"

•  Research – partners at campuses that are not Shibboleth-enabled"

Why the Interest in Social Identities ?

2

3

Why the Interest in Social Identities ?

•  All of those people have identities at one of the social/personal providers"

•  Google, Yahoo, FaceBook, etc"

•  In some circumstances, this approach may be preferable to issuing campus identities to those people"

•  However, there is NO guarantee about who is using a social account"

Federated Identity Concept

Institution A

Institution B

Shared Courses

4

2/13/13

Institution A

Institution B

Shared Courses

Social-to-SAML Gateway

Google

Yahoo

Adding Social Identities

5

Agenda

•  The pilot Social-to-SAML Gateway (Paul Caskey)

•  Brown’s experience with the gateway and plans for social identity (Steve Carmody)

•  An open-source approach and the potential for a hosted gateway (Dedra Chamberlin and Lucas Rockwell)

6

Social2SAML:  What  Is  It?  •  Web-­‐based  authen9ca9on  gateway  (FAQ  [1])  

•  Translates  authen9ca9on  responses  from  popular  “social”  ID  services  into  regular  SAML  2  asser9ons  (consumable  by  Shibboleth)  

•  Allows  downstream  applica9ons  which  only  understand  SAML  (most  versions  of  Shibboleth),  to  easily  u9lize  external  services  without  changing  the  opera9ng  environment  

•  Designed  to  be  as  simple  and  transparent  as  possible  

7  

Social2SAML:  How  Does  It  Work?  •  Looks  like  an  IdP  to  your  SP.    Looks  like  a  single  “SP/app”  to  external  services.  

•  Consumes  InCommon  metadata  (so  your  SP  may  already  be  trusted  by  the  gateway).  

•  It  is  *not*  in  the  InCommon  metadata  (so  your  SP  will  need  to  add  appropriate  metadata  for  the  gateway  [2]  to  its  config)  

•  Runs  a  slightly  customized  version  of  SimpleSAMLPHP  [3]  

8  

Social2SAML:  How  Does  It  Work?  (cont)  

•  “Per-­‐service”  versus  “Mul9-­‐Auth”  logical  IdPs?  

•  Works  with  these  services:  –  Google  –  LinkedIn  –  WindowsLive  –  VeriSign  –  PayPal  –  Facebook  –  Twi^er  –  Yahoo  

9  

Social2SAML:  How  Does  It  Work?  (cont)  

•  Mapped  A^ributes  (if  released  by  service/user)  –  givenName  –  sn  –  mail  –  uid  

•  Generated  A^ributes  –  eduPersonPrincipalName  –  eduPersonTargetedID  (as  a  SAML  2  NameID)  –  displayName  

•  Details  here:  [2]  10  

Social2SAML:  How  Is  It  Used?  

•  Works  great  for  guest  authen9ca9on!  •  Typical  use  is  “pick-­‐and-­‐choose”  among  the  external  services  and  then  include  the  different  logical  IdPs’  metadata  in  your  SP’s  metadata  config.  

•  Links  for  metadata  –  both  mul9-­‐auth  and  individual  services  are  found  here:  [2]  

•  Even  more  powerful  when  combined  with  invita9on  capabili9es  (Grouper,  CO-­‐Manage)  

11  

Social2SAML:  Moving  Forward…  

•  Pilot  ends  at  the  end  of  May  2013!  

•  Join  the  discussion  (here  [4])  –  What  would  a  service  like  this  from  InCommon  look  like?  –  Would  it  have  invita8on/registra8on  capabili8es?  –  How  seamless  and  transparent  can  it  be?  –  How  should  certain  a>ributes  be  treated  (iden8fiers,  namely)?  

 •  Give  Feedback  (here  [5])  

12  

Links  •  [1]  

h^ps://spaces.internet2.edu/display/socialid/Social-­‐to-­‐SAML+Gateway+FAQ  

•  [2]  h^ps://samlgwtest.theo9slab.com/servDetails.html    •  [3]  h^p://www.simplesamlphp.org    •  [4]  h^ps://spaces.internet2.edu/display/socialid/Home  

•  [5]  h^ps://spaces.internet2.edu/display/socialid/Social-­‐to-­‐SAML+Feedback  

13  

Brown University

A Social-to-SAML Pilot at Brown

Steve Carmody February 13, 2013

15

Goal

•  Familiarize ourselves with the concepts •  Learn about the deploy and manage process

–  Reconfigure a test SP to use the Gateway

•  Write down what we learned •  Evaluate the results

16

Implementation Steps

•  Found in FAQ –  https://spaces.internet2.edu/x/GAAEAg

•  https://spaces.internet2.edu/display/socialid/Social-to-SAML+Gateway+FAQ - Social-to-SAMLGatewayFAQ-HowcanIusetheGatewaywithmyapplication%3F

17

Implementation Steps •  Install the Shibboleth SP or use an existing

deployment. –  https://wiki.shibboleth.net/confluence/display/SHIB2/Installation

•  Install the Discovery Service component bundled with the SP. –  No executables; just javascript and CSS

–  https://wiki.shibboleth.net/confluence/display/SHIB2/DSInstall

•  Make sure the SP is a member of the InCommon Federation, adding it to InCommon metadata if necessary. (This is because the Gateway consumes InCommon metadata.) https://incommon.org/

18

Implementation Steps •  Choose which social providers you want to use. (A list of

supported social providers is given on the Social-to-SAML Gateway Demo page.)

–  https://samlgwtest.theotislab.com/servDetails.html

•  Configure the SP to load metadata for the chosen social providers. (Metadata files are linked on the Social-to-SAML Gateway Demo page.)

–  <!-- load metadata for social-saml GW --> –  <MetadataProvider type="XML" file=“/path/social-all.xml" –  legacyOrgNames="true" >

•  Configure the SP (and possibly the application) to consume the attributes provided by the chosen social providers. (In particular, some social providers assert long, opaque identifiers.)

19

Try the Demo Yourself !

•  https://stc-test9.cis.brown.edu/secure/info.php

•  https://grouperdemo.internet2.edu/

20

What Did We Learn ?

•  Incredibly easy to deploy and configure - Thank you Paul!

•  It’s a new experience for people used to using Social Accounts

•  Also used with MACE Grouper - support for external groups – Social Providers don’t release enough info

to pre-populate the Registration page

21

Issues •  Consent screen at Social Providers asks user to

release attributes to the Gateway, not the SP

•  Each Social Provider provides different attributes

•  Many applications prefer an invitation service (eg MACE Grouper incldues one) –  Should this be part of a central service?

•  Should a locally run Gateway instance integrate with the local Person Registry, and register different providers/accounts for each person

Another  OpenSource  Social2SAML  Gateway  

 Dedra  Chamberlin  

   

•  SP  configured  directly  with  Social  IdP  •  Provides  more  clarity  to  users  when  elec9ng  to  release  a^ributes  

•  Ensures  that  one  SP  experiencing  high  volume  does  not  adversely  affect  other  SPs  

How  is  New  Gateway  Different?  

23  

HypotheAcal  Example:    

Student  Billing  System  used  by    Students  and  Parents  

Student  Requests  Access  

Confluence Alresco Student Billing Admissions

Campus IdP

Parking

Social2SAML Gateway

Discovery

Google LinkedIn Twitter FacebookYahoo

Canvas

25  

Re-­‐Direct  to  Campus  IdP  

Canvas Confluence Alresco Student Billing Admissions

Campus IdP

Parking

Social2SAML Gateway

Discovery

Google LinkedIn Twitter FacebookYahoo

SAML

26  

Parent  Requests  Access  

Canvas Confluence Alresco Student Billing Admissions

Campus IdP

Parking

Social2SAML Gateway

Discovery

Google LinkedIn Twitter FacebookYahoo

27  

Re-­‐Direct  to  Social2SAML  Gateway  Pilot  Gateway  A^ribute  Release  

Canvas Confluence Alresco Student Billing Admissions

Campus IdP

Parking

Social2SAML Gateway

Discovery

SAML

Google LinkedIn Twitter FacebookYahoo

28  

Re-­‐Direct  to  Social2SAML  Gateway  New  Gateway  A^ribute  Release  

Canvas Confluence Alresco Student Billing Admissions

Campus IdP

Parking

Adm

issi

ons

Can

vas

Social2SAML Gateway

Con

fluen

ce

Alre

sco

Stud

ent

Bill

ing

Park

ing

Discovery

SAML

Google LinkedIn Twitter FacebookYahoo

29  

1.  Google  using  global  gateway  model    2.  Twi^er  using  Service  Provider  specific  

model    

Mock  Moodle  IntegraAon  

Guest  Access  to  Moodle  

Canvas Confluence Moodle Student Billing Admissions

Campus IdP

Parking

Social2SAML Gateway

Discovery

Google LinkedIn Twitter FacebookYahoo

Discovery

31  

Global  Gateway    Configured  with  Google  

Canvas Confluence Moodle Student Billing Admissions

Campus IdP

Parking

Social2SAML Gateway

Discovery

Google LinkedIn Twitter FacebookYahoo

Discovery

32  

33  

SP  Specific  Gateway    Configured  with  Twi^er  

Canvas Confluence Moodle Student Billing Admissions

Campus IdP

Parking

Adm

issi

ons

Can

vas

Social2SAML Gateway

Con

fluen

ce

Moo

dle

Stud

ent

Billin

g

Park

ing

Discovery

SAML

Google LinkedIn Twitter FacebookYahoo

Discovery

34  

35  

   

Social  IdP  Rate  Limits    

API  limits  applied  to    each  SP  independently  

Bills  are  Due!  

Canvas Confluence Alresco Student Billing Admissions

Campus IdP

Parking

Social2SAML Gateway

Discovery

Google LinkedIn Twitter FacebookYahoo

37  

Mul9ple  AuthN  Requests  in    Short  Time  Window    

Canvas Confluence Alresco Student Billing Admissions

Campus IdP

Parking

Social2SAML Gateway

Discovery

SAML

Google LinkedIn Twitter FacebookYahoo

38  

Social  IdP  blocks  all  authN    Requests  to  Gateway  

Canvas Confluence Alfresco Student Billing Admissions

Campus IdP

Parking

Social2SAML Gateway

Discovery

SAML

Google LinkedIn Twitter FacebookYahoo

39  

Social  IdP  blocks  authN    Requests  to  Single  SP  

Canvas Confluence Alresco Student Billing Admissions

Campus IdP

Parking

Adm

issi

ons

Can

vas

Social2SAML Gateway

Con

fluen

ce

Alre

sco

Stud

ent

Bill

ing

Park

ing

Discovery

SAML

Google LinkedIn Twitter FacebookYahoo

40  

New  Guest  Logs  in  to  Different  SP  

Canvas Confluence Alresco Student Billing Admissions

Campus IdP

Parking

Adm

issi

ons

Can

vas

Social2SAML Gateway

Con

fluen

ce

Alre

sco

Stud

ent

Bill

ing

Park

ing

Discovery

SAML

Google LinkedIn Twitter FacebookYahoo

Discovery

41  

Rate-­‐Limit  for  First  SP    Doesn’t  Impact  the  Second  

Canvas Confluence Alresco Student Billing Admissions

Campus IdP

Parking

Adm

issi

ons

Can

vas

Social2SAML Gateway

Con

fluen

ce

Alre

sco

Stud

ent

Bill

ing

Park

ing

Discovery

SAML SAML

Google LinkedIn Twitter FacebookYahoo

Discovery

42  

Service  Provider    Configura9on  Tool  

•  Configura9on  management  tool  leverages  InCommon  metadata    

•  Admins  log  in  with  ins9tu9onal  iden9ty  •  SAML  asser9on  includes  email  address  •  Only  users  with  email  addresses  associated  with  SPs  in  metadata  allowed  to  configure  SPs  

Delegated  Admin  for    Config  Mangement  Tool  

44  

Social IdPs

SocialIdPSocial/SAML Gateway

OAuth to SAML

Higher Ed IdPs

InCommon Metadata

SocialIdP Management App

AuthZ adminsvia Incommon

metadata

Discovery Service

Discovery Service

SAML SAML

SAML

moodle.someu.edu

SP configinfo

moodle.someu.eduadministrator

Guest Lectureror

Guest Seminar Enrollee

Studentor

Instructor

•  SP  administrators  must  enter  Oauth  Key  and  secret  generated  by  Social  IdP    

•  Configura9on  management  tool  includes  Social  IdP  to  MACE  Dir  a^ribute  mapping  

Configuring  the  SP  

46  

47  

48  

49  

50  

51  

52  

What’s  Missing?  

Invita9on/Registra9on  Service  

•  Most  SPs  don’t  want  to  allow  anyone  with  a  Google  or  Twi^er  iden9ty  to  log  in  

•  Who  can  “invite”  or  “register”  guests?  •  Where  do  registered  guests  land  in  campus  IDMS?    Registry?    LDAP?    Grouper?  

•  How  important  is  account  linking?  – More  than  one  social  ID  to  one  person  – Social  ID(s)  to  an  ins9tu9onal  ID  

54  

•  Google  integra9on  op9ons  –  OpenID?    OAuth?  Complexity  varies  greatly  

•  Campus-­‐specific  gateways-­‐a  be^er  op9on  than  Central  Higher  Ed  gateway  – OpenID  requires  integra9on  with  realm  – A^ribute  mapping  standards  – Create  iden99es  to  use  elsewhere  on  campus  – As  a  rule,  9e  the  gateway  as  close  to  the  SP  as  possible  

Concerns  

55  

•  How  to  help  campuses  deploy  gateway  services?  – Make  new  Social2SAML  gateway  code  available  –  Provide  a  supported  gateway  service  campuses  can  run  locally  

–  Provide  managed,  cloud-­‐hosted  gateway  services  campuses  can  subscribe  to  

–  Provide  a  tool  that  can  easily  configure  simpleSAMLphp  to  run  alongside  any  Shib  integrated  Service  Provider  to  operate  as  a  gateway  

•  We’re  seeking  pilot  campuses  or  Service  Providers  to  explore  all  of  the  above  

What  Next?  

56  

•  Help  define  requirements  for  an  invita9on  service  

•  Play  with  the  new  gateway  code  when  it’s  ready  

•  Learn  more  about  possible  op9ons  for  how  this  gateway  might  be  offered  as  a  service  

 

Email:  socialiden9ty  <socialiden9ty@internet2.edu>  

If  you’d  like  to:  

57  

Evaluation Please complete the evaluation of today’s IAM Online: http://www.surveymonkey.com/s/IAMOnline_February_2013 Next IAM Online – March 13, 2013 (3 pm ET) Three Campus Case Studies of Managing Access with Grouper

•  Carnegie Mellon University •  University of Montreal •  University of Wisconsin-Madison

IAM Online Announcement List Email sympa@incommon.org with the subject: subscribe iamonline

58

Thank you to InCommon Affiliates for helping to make IAM Online possible.

Brought to you by Internet2’s InCommon, in cooperation with the EDUCAUSE Identity and Access Management Working Group

59